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Objective 

Commercial  networking  software  is  too  unreliable  and  too  insecure  to  be  used  in  critical 
applications,  especially  in  the  military.  This  concern  has  been  elevated  to  a  national  priority  by 
the  Presidential  Commission  on  Critical  Infrastructure  Protection  and  by  the  President's 
Information  Technology  Advisory  Committee  (PITAC).  The  main  project  goal  was  to  create 
highly  innovative  techniques  and  systems  that  can  be  integrated  into  the  software  development 
process  to  substantially  improve  reliability  and  durability  of  the  results.  We  have  demonstrated 
the  applicability  of  our  contributions  on  networking  software,  specifically  on  computing  networks 
such  as  BBN's  UAV  and  Boeing's  BoldStroke  applications. 


Approach 

The  project  has  designed,  built  and  tested  a  prototype  system  called  a  Logical  Programming 
Environment  (LPE).  The  LPE  provides  the  means  to  formally  specify  and  check  properties  of 
system  design  and  code  as  it  is  being  developed,  as  well  as  to  verify  and  optimize  code  that  has 
already  been  written. 

The  task  of  formally  checking  properties  of  code  is  organized  in  the  LPE  as  an  extension  of  static 
type  checking.  The  type  checker  is  enhanced  by  a  theorem  prover.  Some  properties  depend  upon 
a  great  deal  of  knowledge  about  a  particular  system  architecture,  such  as  event  channels  and  event 
notification  services,  as  well  as  upon  general  mathematical  knowledge  about  common  data 
structures  and  mathematical  types.  Much  of  the  general  mathematical  knowledge  has  been 
formally  proved  by  several  theorem-proving  systems.  The  LPE  is  designed  so  that  this  general 
knowledge  can  be  shared;  sharing  is  achieved  by  providing  access  to  the  libraries  of  various 
theorem  provers  through  an  LPE  component  called  a  Formal  Digital  Library. 

The  specific  approach  of  this  project  proceeded  simultaneously  on  three  major  areas. 

•  First,  the  logical  language  of  the  LPE  was  used  to  build  formal  models  of  networked 
embedded  systems  as  well  as  formally  verified  knowledge  and  tailored  analysis 
strategies. 

•  Second,  the  LPE  was  used  to  specify  dynamic  embedded  systems  by  composition  of 
services  and  to  generate  re-usable,  re-configurable,  correct,  and  reliable  code  for  them, 
thus  increasing  the  assurance,  flexibility,  and  efficiency  of  key  applications.  After  2000 
this  was  focused  especially  on  the  DARPA  OEP. 

•  Finally,  the  capabilities  of  the  LPE  were  continuously  enhanced  by  extending  its  logical 
language  and  by  integrating  new  automatic  reasoning  techniques  that  support  the 
verification  of  embedded  networked  systems  as  well  as  reasoning  about  program 
composition,  property-preserving  code  transformations,  and  real-time  aspects. 
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Accomplishments 


In  the  course  of  the  project  we  have  successfully  applied  the  Logical  Programming  Environment 
in  increasingly  complex  applications,  ranging  from  formal  support  for  the  Ensemble  group 
communication  system  to  the  automatic  generation  of  coordinated  contracts  for  BBN's  Unmanned 
Aerial  Vehicle  (UAV)  Open  Experimental  Platform  (OEP)  and  an  interface  between  this  OEP 
and  the  Logical  Programming  Environment.  Early  in  the  process  there  were  significant 
extensions  to  the  LPE's  logical  foundations  and  its  automated  reasoning  capabilities. 

The  following  gives  a  comprehensive  summary  of  the  specific  accomplishments.  An  extensive 
account  of  the  research  results  is  given  in  the  publications  of  the  research  team,  which  are  listed 
below  and  referred  to  in  the  text. 

Optimization  and  Verification  of  Communication  Systems 

Using  the  first  prototype  of  the  LPE,  we  have  developed  fully  automatic  tools  for  improving  the 
code  of  the  Ensemble  group  communication  system  [2,5,7,9,30].  The  improved  code  operates 
three  to  ten  times  faster  than  the  original  and  is  generated  in  a  matter  of  seconds.  Comparable 
improvements  done  by  hand  took  months  of  tedious  and  complex  work  on  smaller  examples,  and 
the  complexity  led  to  errors  in  the  faster  code.  In  contrast,  the  code  modifications  created  by  the 
automatic  tools  are  guaranteed  to  be  correct,  that  is,  the  improved  code  computes  the  exact  same 
results  as  the  original. 

We  have  rigorously  proved  safety  properties  of  the  total  ordering  layer  of  Ensemble  (ETO)  using 
10  automata,  and  we  used  the  proof  to  guide  correction  of  a  subtle  error  in  that  layer  [6,8].  The 
proof  also  led  to  the  proper  repair  of  the  error. 

Formal  Design  of  Adaptive  Systems 

We  have  designed  a  generic  switching  protocol  for  the  construction  of  adaptive  network  systems 
[16]  and  formally  proved  it  correct  with  the  Logical  Programming  Environment  [17,20,21].  In  the 
process  we  have  developed  a  formal  characterization  of  communication  properties  that  can  be 
preserved  when  the  system  switches  between  different  protocols.  We  have  also  developed  an 
abstract  characterization  of  invariants  that  have  to  be  satisfied  by  an  implementation  of  the 
switching  protocol  in  order  to  work  correctly. 

As  foundation  for  this  work  we  have  introduced  the  novel  concept  of  meta -properties.  Meta- 
properties  make  it  possible  to  give  an  abstract  characterization  of  "switchable"  system  properties, 
which  in  turn  makes  it  easier  to  check  whether  a  specific  set  of  protocols  can  be  employed  in  an 
adaptive  system.  We  have  described  switchable  properties  in  terms  of  several  meta -properties 
such  as  "safety",  "asynchrony",  "delayable",  and  "send-enabled",  as  well  as  "composability"  and 
"memorylessness".  The  first  four  of  these  properties  are  required  for  any  layered  communication 
system  while  the  latter  are  necessary  for  switching.  The  abstract  approach  represents  a  major 
increase  in  our  formal  understanding  of  distributed  systems  and  makes  it  possible  to  support  the 
formal  analysis  and  design  of  networked  systems,  including  those  dealing  with  real-time  and 
embedded  systems 


2 


With  the  LPE  we  have  formally  proven  that  communication  properties  that  satisfy  these  six  meta- 
properties  are  preserved  under  switching,  whenever  the  switch  maintains  a  simple 
synchronization  invariant.  The  verification  efforts  revealed  a  variety  of  implicit  assumptions  that 
are  usually  made  when  designing  communication  systems  and  uncovered  minor  design  errors  that 
would  have  otherwise  made  their  way  into  the  implementation.  This  demonstrates  that  formal 
reasoning  about  group  communication  in  an  expressive  theorem  proving  environment  such  as  the 
Logical  Programming  Environment  can  contribute  to  the  design  and  implementation  of  verifiably 
correct  network  software. 

We  have  evaluated  the  performance  implications  of  using  our  hybrid  protocol  by  switching 
between  two  well-known  mechanisms  for  implementing  total  order  and  shown  that  switching 
close  to  the  cross-over  point  of  these  protocols's  performance  leads  to  the  best  practical  results. 

Knowledge-based  Generation  of  Coordinated  Contracts 

We  have  developed  and  implemented  a  prototype  of  MediaNet  [25],  a  general  infrastructure  for 
real-time  network  computations.  MediaNet  generalizes  the  computing  network  underlying  both 
BBN’s  UAV  applications  and  parts  of  Boeing's  BoldStroke  architecture. 

hi  this  setting  we  have  developed  a  self-adaptive  task  allocation  manager  that  controls  the 
processing  of  real-time  media  over  a  network  through  coordinated  local  schedules.  It  is  able  to 
adapt,  in  user-specified  ways,  to  changing  workloads  and  network  conditions,  attempting  to 
deliver  specified  quality  of  service  and  to  meet  other  specifications.  The  task  allocation  manager 
assigns,  based  on  current  resource  availability,  computing  and  communication  tasks  to  each  node 
of  the  network  in  a  way  that  maximizes  a  combination  of  user  utility  and  network  utilization. 

This  functionality  has  been  demonstrated  in  a  configuration  where  we  throttle  network  bandwidth 
and  show  how  the  system  adapts  between  different  compression  schemes  in  order  to  maintain  a 
smooth  video  transport.  It  can  serve  as  Resource  Allocation  Manager  for  the  BBN's  UAV  system 
and  also  provides  a  setting  for  formal  reasoning  about  aspect-oriented  design  and  code  assembly. 

Building  upon  the  abovementioned  work  on  specifying,  verifying,  and  formally  designing 
communication  protocols,  we  have  developed  a  formal  model  of  networked  stream  computations 
that  allows  us  to  incorporate  both  real-time  constraints  and  resource  limitations  into  our 
specifications.  The  model  makes  it  possible  to  reason  about  safety  and  liveness  properties  and 
about  self-adaptation  wrt.  different  schedules  and  changing  data  formats.  It  also  makes  it  possible 
to  factor  UAV  computations  into  aspects,  including  functional  requirements,  QoS  requirements 
and  security  requirements.  We  can  also  weave  fault  tolerant  communications  into  the  distribution 
of  operations  on  the  underlying  computing  network. 

Within  the  Logical  Programming  Environment  we  have,  using  the  above  formal  model, 
developed  an  algorithm  that  derives  coordinated  local  schedules  and  quality  of  service  contracts 
from  a  global  schedule.  The  algorithm  approximates  the  behavior  of  the  global  scheduler  with  a 
distributed  collection  of  bcal  schedulers,  one  for  each  network  node.  A  local  scheduler  assigns 
tasks  to  its  node  based  only  on  its  observation  of  the  bandwith  of  its  output  links,  its  cpu 
resources,  and  information,  called  "tags",  passed  to  it  by  its  predecessor  nodes. 

To  generate  the  local  schedulers,  we  use  the  MediaNet  global  scheduler  as  an  offline  "black  box". 
The  key  idea  of  the  algorithm  is  to  use  the  logical  form  of  the  user  specifications  to  create  the  set 
of  tags.  The  tags  correspond  to  all  the  subterms  of  the  user  specs.  Proceeding  in  topologically 
sorted  order,  at  each  node  we  know  the  combinations  of  tags  produced  by  the  predecessor  nodes. 
For  each  combination  of  tags  we  can  compute  a  new  user  specification  that  replaces  the  subterms 
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corresponding  to  the  tags  by  the  input  streams  of  the  node.  Using  this  new  specification  we  call 
the  global  scheduler  with  varying  bandwith  parameters  and  tabulate  the  tasks  that  it  assigns  to  the 
current  node.  In  this  part  of  the  algorithm  we  use  a  machine  learning  method  called  "support 
vector  machines".  In  this  way  we  create  a  table  of  tasks  to  assign  to  the  current  node  as  a 
function  of  the  input  tags  and  the  output  bandwidths,  and  this  is  the  specification  of  the  local 
scheduler. 

Integration  into  Open  Experimental  Platforms 

To  support  formal  reasoning  about  media  computing  networks  such  as  MediaNet  and  BBN's 
UAV  applications  we  have  implemented  an  XML  interface  for  our  LPE.  It  makes  it  possible  to 
automatically  import  XML  specifications  generated  by  the  MediaNet  scheduler  or  by  Vanderbilt's 
graphical  modeling  (GME)  tools  into  our  LPE  and  to  formally  analyze  the  actual  code  of 
MediaNet  and  the  XML  representation  of  BBN's  UAV  provided  by  Vanderbilt's  GME. 

We  have  developed  prototypical  techniques  for  translating  the  schedules  generated  by  the  LPE 
and  MediaNet  into  a  representation  suitable  for  the  GME  and  used  them  to  automatically  create 
coordinated  CDL  contracts.  Ongoing  contacts  with  Vanderbilt  and  BBN  will  enable  us  to  refine 
these  techniques  such  that  the  generated  CDL  contracts  can  be  automatically  deployed  to  BBN's 
UAV  network. 

Logical  Foundations 

We  have  developed  a  formal  class  theory  that  provides  a  logical  foundation  for  design  and 
verification  through  composition  and  weaving  [15,27,29].  The  theory  provides  the  logical  laws  of 
records,  modules,  subtyping,  and  objects  as  well  as  operations  for  composing  modules  and 
properties.  Our  formal  intersection  operator  can  be  used  to  express  both  functional  composition 
and  aspect  weaving,  and  is  guaranteed  to  combine  all  safety  properties  of  the  composed  code 
pieces.  Class  theory  is  therefore  well-suited  as  logical  foundation  for  compositional  design  and 
verification. 

We  also  have  developed  a  theoretical  basis  for  an  efficient  logical  reflection  mechanism  [28].  It 
will  enable  the  LPE  to  analyze  intensional  properties  of  systems  such  as  the  computational 
complexity  [18,22,23]  of  generated  software,  as  well  as  timing,  use  of  resources,  or 
synchronization. 


Tools  for  Automated  Reasoning  and  Formal  Documentation 

We  have  signific  antly  enhanced  the  automatic  reasoning  tools  of  the  LPE  by  adding  generic  proof 
techniques  that  support  the  verification  of  networked  systems  and  their  implementations  and 
proof  strategies  especially  tailored  towards  reasoning  about  program  composition,  aspect 
weaving,  and  embedded  systems.  Substantial  new  reasoning  capabilities  are  now  in  place. 

We  have  integrated  JProver  [3,12,13,19],  a  fully  automated  theorem  prover  for  constructive  first- 
order  logic,  as  an  external  proof  engine  into  the  LPE.  JProver  operates  on  matrices  and 
connections,  a  very  compact  representation  of  the  search  space  that  substantially  reduces  the  time 
needed  for  finding  proofs.  Extensions  of  Jprover  towards  inductive  theorem  proving  have  in 
explored  in  theory  [1,4,1 1,24]  and  are  currently  being  added  to  the  theorem  prover. 
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We  have  introduced  new  techniques  for  asynchronous  and  parallel  theorem  proving  [10,26],  and 
are  currently  adding  strategies  that  utilize  external  proof  systems  such  as  PVS  and  MetaPRL  [14] 
as  well  as  constraint  solvers  and  computer  algebra  systems. 

We  have  implemented  tools  that  enable  the  verification  system  to  learn  from  the  work  have 
already  done  by  "mining"  proofs  for  reasoning  steps  that  can  be  reused  as  "derived  inference 
rules". 

We  have  developed  mechanisms  for  the  creation  of  formal  documentation  in  the  LPE. 
Documentation  with  references  to  the  actual  LPE  proofs  are  now  part  of  the  persistent  LPE 
library  and  thus  accessible  to  search  and  dependency  tracking  mechanisms.  They  can  be  viewed 
online  or  converted  into  a  typeset  version  for  publication. 

The  use  of  these  techniques  has  significantly  increased  the  degree  of  automation  in  formal  design 
and  verification  and  will  increase  the  productivity  of  rigorous  design  methods. 
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